-
Notifications
You must be signed in to change notification settings - Fork 492
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Refine https documents * Transform AutoCertManager to business controller * Fix broken links
- Loading branch information
Showing
6 changed files
with
92 additions
and
82 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,5 @@ | ||
# Security <!-- omit from toc --> | ||
|
||
- [HTTPS](#https) | ||
- [Let's Encrypt](#lets-encrypt) | ||
- [Security: Verify Credential](#security-verify-credential) | ||
- [Header](#header) | ||
- [JWT](#jwt) | ||
|
@@ -16,77 +14,6 @@ | |
- [Basic Auth](#basic-auth-1) | ||
- [Reference](#reference) | ||
|
||
|
||
## HTTPS | ||
|
||
Implementing HTTPS in `HTTPServer` is straightforward. You either provide the required certificates and keys, or employ `AutoCertManager` to handle them using services like `Let's Encrypt`. | ||
|
||
To activate HTTPS in your `HTTPServer`, toggle the `https` field to `true` and offer the relevant certificates and keys: | ||
|
||
```yaml | ||
name: demo | ||
kind: HTTPServer | ||
|
||
# Use HTTPS; default is false. | ||
# If true, set autocert or provide certs and keys. | ||
https: true | ||
|
||
# Automated certificate management, such as Let's Encrypt. | ||
# More info in AutoCertManager | ||
autoCert: false | ||
|
||
# Public keys in PEM base64 format | ||
certs: | ||
cert1: <public-key-data> | ||
cert2: <public-key-data> | ||
# Corresponding private keys | ||
keys: | ||
cert1: <private-key-data> | ||
cert2: <private-key-data> | ||
|
||
... | ||
``` | ||
|
||
|
||
## Let's Encrypt | ||
|
||
In Easegress, `AutoCertManager` automatically manage HTTPS certificates. The config looks like: | ||
|
||
```yaml | ||
kind: AutoCertManager | ||
name: autocert | ||
|
||
# An email address for CA account. | ||
email: [email protected] | ||
|
||
# The endpoint of the CA directory, not required. | ||
# Default to use Let's Encrypt. | ||
directoryURL: https://acme-v02.api.letsencrypt.org/directory | ||
|
||
# A certificate will be renewed before this duration of its expire time. | ||
# Default 720h. | ||
renewBefore: 720h | ||
|
||
# Enable HTTP-01 challenge, default true. | ||
enableHTTP01: true | ||
|
||
# Enable TLS-ALPN-01 challenge, default true. | ||
enableTLSALPN01: true | ||
|
||
# Enable DNS-01 challenge, default true. | ||
enableDNS01: true | ||
|
||
# Domains to be managed, required. | ||
domains: | ||
- name: "*.megaease.com" | ||
dnsProvider: | ||
name: dnspod | ||
zone: megaease.com | ||
apiToken: <token value> | ||
``` | ||
|
||
See more details about `AutoCertManager` in [here](../07.Reference/7.01.Controllers.md#autocertmanager). | ||
|
||
## Security: Verify Credential | ||
|
||
As a production-ready cloud-native traffic orchestrator, Easegress cares about security and provides several features to ensure that. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
# HTTPS and Let's Encrypt <!-- omit from toc --> | ||
|
||
- [Introduction](#introduction) | ||
- [Configuring HTTPS in HTTPServer](#configuring-https-in-httpserver) | ||
- [Manual Configuration](#manual-configuration) | ||
- [Using AutoCertManager](#using-autocertmanager) | ||
- [AutoCertManager Configuration](#autocertmanager-configuration) | ||
|
||
|
||
## Introduction | ||
|
||
Easegress offers both manual and automated approach to manage HTTPS certificates. The automated method is using business controller AutoCertManager. This tutorial will guide you through setting up HTTPS in HTTPServer and configuring AutoCertManager for certificate management with Let's Encrypt. | ||
|
||
## Configuring HTTPS in HTTPServer | ||
|
||
To implement HTTPS in HTTPServer, you have two options: manually providing certificates and keys, or using AutoCertManager for automated certificate management. | ||
|
||
### Manual Configuration | ||
|
||
For manual configuration, you need to set https to true and provide your certificates and keys. | ||
|
||
```yaml | ||
name: demo | ||
kind: HTTPServer | ||
https: true | ||
autoCert: false | ||
certs: | ||
cert1: <public-key-data> | ||
cert2: <public-key-data> | ||
keys: | ||
cert1: <private-key-data> | ||
cert2: <private-key-data> | ||
... | ||
``` | ||
|
||
### Using AutoCertManager | ||
|
||
If you prefer automated management with Let's Encrypt, set autoCert to true. This will utilize the AutoCertManager. | ||
|
||
```yaml | ||
name: demo | ||
kind: HTTPServer | ||
https: true | ||
autoCert: true | ||
... | ||
``` | ||
|
||
## AutoCertManager Configuration | ||
|
||
`AutoCertManager` is a business controller, which is more special than others. Because there can be at most one instance of AutoCerManager. It manages HTTPS certificates and handles challenge traffic from Let's Encrypt. | ||
|
||
```yaml | ||
kind: AutoCertManager | ||
name: AutoCertManager | ||
email: [email protected] | ||
directoryURL: https://acme-v02.api.letsencrypt.org/directory | ||
renewBefore: 720h | ||
enableHTTP01: true | ||
enableTLSALPN01: true | ||
enableDNS01: true | ||
domains: | ||
- name: "*.megaease.com" | ||
dnsProvider: | ||
name: dnspod | ||
zone: megaease.com | ||
apiToken: <token value> | ||
``` | ||
|
||
Explanation of Fields: | ||
|
||
- email: Email address for Let's Encrypt registration. | ||
- directoryURL: CA directory URL (default: Let's Encrypt official one). | ||
- renewBefore: Time before expiry to renew the certificate. | ||
- enableHTTP01, enableTLSALPN01, enableDNS01: Challenge types to enable. | ||
- domains: Domains to manage, along with their DNS provider configurations. | ||
|
||
Assuming we have saved the config in `acm.yaml`, we could use this command to update global AutoCertManager. | ||
|
||
```bash | ||
$ egctl apply -f acm.aml | ||
``` | ||
|
||
See more details about `AutoCertManager` in [here](../07.Reference/7.01.Controllers.md#autocertmanager). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters